Monitoring system

ABSTRACT

The invention relates to a monitoring system, having an output module for generating a control signal in response to an input signal, a monitoring module for generating the input signal for the output module, an output device for outputting an output signal in response to the control signal, and a feedthrough device for preventing outputting of the output signal. According to the invention, the monitoring module is designed to instruct the feedthrough device to prevent outputting of the output signal when there is a deviation between the control signal and a control signal which is expected on the basis of the input signal.

FIELD OF THE INVENTION

The invention relates to a monitoring system for monitoringsafety-relevant processes.

BACKGROUND OF THE INVENTION

A field bus is a known industrial communication system, used for datatransfer systems, which connects numerous linked field devices, such assensors, control elements, and/or actuators to a control device, whereinthe devices which provide the actual connection to the bus are referredto as “bus users.”

For a number of applications, the deterministics, i.e., thepredetermination and immutability in the transfer of process data, aremore important than the actual transfer speed itself. For example, fieldbuses having users connected thereto are known, in which process dataare cyclically transferred via a shared transmission channel fortransferring process data between individual users, and thus fortransmitting and receiving process data, in particular process inputdata, process output data, and control data. For this purpose, duringpredetermined data cycles it is common for a user which functions as amaster to read protocol-specific data from field devices which areconnected to slave users, and during each subsequent data cycle to writeto field devices which are connected to slave users.

In many system applications, the data to be transferred are alsosafety-relevant data, at least in part, so that data transfer errorsmust be recognized as soon as possible, and upon recognition of an errora timely response must be made; for example, a field device, user, or(sub)system must be converted to a safe state. For transfer ofsafety-relevant data via a bus, essentially six error classes must beconsidered: repetition, loss, insertion, incorrect sequence, deletion,and delay of safety-relevant data. The transfer of these data musttherefore be secure.

To ensure secure transfer of data, in particular safety-relevant processdata, at least in such a way that the listed error classes may also berecognized when they are present, it is basically common practice tosupplement the transferred data with additional control data, forexample time stamps, user information, and/or check information such ascycle redundancy checks (CRCs). However, a major disadvantage is thatthe overhead to be transferred greatly increases compared to the userdata to be transferred, thus reducing the protocol efficiency. Thisweakness is particularly serious when the number or frequency ofsafety-relevant user data items per user which must be transferred islow. Another disadvantage of previously known monitoring systems forsafety-related data is that, in order to implement user-specificprocesses having safety-oriented outputs, at least two microcontrollersor complex hardware circuits are always necessary for processing complexprotocol tasks.

SUMMARY OF THE INVENTION

The object of the present invention is to provide a concept by means ofwhich the complexity of hardware, software, and qualification, andtherefore the manufacturing costs, for field devices havingsafety-related outputs may be reduced.

The invention is based on the finding that the processing functions ofan output module which controls an actuator having a risk potential mayhave a single-channel design, and may also be monitored by a separatemonitoring module, for example a safety master module. If the monitoringmodule identifies a deviation from expected behavior or an irregularityin the processing operation, it is able to convert the entire system,which may comprise multiple output modules, for example multiple safetyoutput modules, to a safe state. The output module(s) may be convertedto the safe state, for example, independently of the particularprocessing unit, using an auxiliary channel which allows feedthrough ofthe monitoring module, and which is therefore referred to below as a“feedthrough device.”

Thus, the safety function is distributed over the monitoring module(safety master) and the output module (safety output module). The safetymaster is assisted by the simple, inexpensive switch-off mechanism ofthe feedthrough device. In addition, it is advantageous for thefunctionality of the inventive concept to integrate the output enablepulse into the bus protocol, for example. By using a decentralizedmicroprocessor it is also possible to integrate the control informationfor the monoflop, which enables or switches off an output of the outputmodule or a suitable output device. The control information may, forexample, be modulated into the data signal at specified times, thusallowing efficient control of the feedthrough device.

According to one aspect, the invention relates to a monitoring systemhaving an output module for generating a control signal in response toan input signal, a monitoring module for generating the input signal forthe output module, an output device for outputting an output signal inresponse to the control signal, and a feedthrough device for preventingor halting outputting of the output signal, wherein the monitoringmodule is designed to instruct the feedthrough device to prevent or haltoutputting of the output signal when there is a deviation between thecontrol signal and a control signal which is expected on the basis ofthe input signal.

According to one embodiment, the output module is designed to transmitthe control signal to the monitoring module, wherein the monitoringmodule is designed to receive the control signal, and to transmit afeedthrough signal to the feedthrough device when there is a deviation.

According to one embodiment, the monitoring module and the output moduleor the feedthrough device are designed to communicate via acommunication network, in particular via a communication bus.

According to one embodiment, the monitoring module is designed togenerate an enabling signal and to transmit it to the output module ifthe control signal corresponds to the expected control signal, whereinthe enabling signal indicates the enabling of the output signal.

According to one embodiment, the feedthrough device is situated in themonitoring module or in the output module.

According to one embodiment, the feedthrough device is situated in theoutput module, wherein the monitoring module is designed to transmit afeedthrough signal to the feedthrough device to prevent outputting ofthe output signal, and the feedthrough device is designed to prevent orhalt outputting of the output signal in response to the feedthroughsignal.

According to one embodiment, the monitoring module is designed tocompare the control signal to the expected control signal in order totest the control signal for the presence of the deviation.

According to one embodiment, the output device includes, for example, arelay or an analogous output stage having a data path for receiving thecontrol signal, and a power supply path for supplying the output devicewith electrical power, wherein the feedthrough device is designed to actto prevent outputting of the output signal on the data path or on thepower supply path. The analogous output stage may be designed, forexample, for a range between 4 mA and 20 mA, the output current of whichis less than 3 mA in the event of an error.

According to one embodiment, the feedthrough device includes amonostable flip-flop, in particular a flip-flop or a monoflop, whereinthe output device has a data path and a power supply path, and an outputof the flip-flop is linked, in particular via an output transistor, tothe data path or to the power supply path in order to act on the datapath or the power supply path, in particular in response to afeedthrough signal which may be applied at an input of the flip-flop.

According to one embodiment, the feedthrough device is designed toconvert the output device to a blocking mode in response to afeedthrough signal, in particular to switch off the output device, orinterrupt the output thereof, or interrupt the data path or controlsignal path thereof, or disconnect the power supply thereof.

According to one embodiment, the output module includes amicrocontroller which is provided to receive the input signal and togenerate the control signal.

According to one embodiment, the monitoring module and the output moduleare separate modules.

The invention relates to a method for monitoring an output module usinga monitoring module, wherein a control signal is generated by the outputmodule in response to an input signal, and the input signal for theoutput module is generated by the monitoring module, wherein an outputsignal is output in response to the control signal, and outputting ofthe output signal is prevented by a feedthrough device when there is adeviation between the control signal and a control signal which isexpected on the basis of the input signal. Further steps of the methodfor monitoring the output module result directly from the functionalityof the monitoring module according to the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

Further exemplary embodiments of the invention are explained in greaterdetail with reference to the accompanying drawings, which show thefollowing:

FIG. 1 shows a design principle of a monitoring system;

FIG. 2 shows a block diagram of a monitoring system;

FIG. 3 shows a block diagram of an output module;

FIG. 4 shows a data frame structure; and

FIG. 5 shows a block diagram of an output module.

DETAILED DESCRIPTION

Reference is first made to FIG. 1, which shows a basic system designwhich may be used within the scope of the invention. From a topologicalstandpoint the illustrated system design is configured as a line,although a star topology or any given mixed forms are also possible.

Five bus users connected to a bus 600 are shown. A first bus user is amonitoring module 100, for example a safety-related master, which isalso referred to below as a safety master, and which in the presentexample at the same time is also the bus master, although this is notmandatory within the scope of the invention. In general, this mayinvolve a given, appropriately specified safety user. A second bus useris a safety-related slave output user 200, also referred to below as anoutput module or safety output slave, and a third bus user is asafety-related slave input user 300, also referred to below as a safetyinput slave. A fourth bus user is a nonsafety-related slave output user400, also referred to below as an output slave, and a fifth bus user isa nonsafety-related slave input user 500, also referred to below as aninput slave. Security-related users, i.e., users which processsafety-relevant process data, and nonsafety-related users may thus bemixed and also positioned as desired.

With regard to the safety-related users of the system design illustratedby way of example, connected to the safety master 100 is an emergencystop switch 110, for example, the safety-relevant input information ofwhich user 100 redundantly receives via two inputs 121 and 122, and, ina manner specific to the protocol, first processes same via tworedundant processing channels 131 and 132 before the signal is coupledto bus 600. A motor 210, for example, is connected to the safety outputslave 200, wherein, after decoupling of the signal from bus 600, in amanner specific to the protocol, user 200 first carries out processingvia two redundant processing channels 231 and 232 and sends thesafety-relevant output information to the motor 210 via an output 220.Connected to the safety input slave 300 are a safety door 311 and arotational speed sensor 312, for example, the safety-relevant inputinformation of which user 300 redundantly receives via two inputs 321and 322, and, in a manner specific to the protocol, processes same via aprocessing channel 330 before the signal is coupled to bus 600.

A safety-related function is generally implemented by using redundantprocessing, for example by means of two separate channels on thehardware side, wherein the particular interface 140, 240, 340, 440, or540 of a user for bus 600 is generally implemented only as a singlechannel. In addition to reducing the required space and the cost, it isalso possible to operate with twice the number of users on the bus, inparticular with regard to bus load, current consumption, andcapacitance. Errors caused by the bus coupling, for example those basedon line drivers or galvanic insulation, may typically be recognized bythe line protocol used. However, the processing unit of thesafety-related users does not necessarily have to have a dual-channeldesign on the hardware side; in many cases it is sufficient for thesoftware to have a dual-channel design.

Bus 600 then provides the shared data line for the method according tothe invention and the transfer system for transmitting and receiving alldata, in particular process data. Such a transfer system operates based,for example, on a local interconnect network (LIN) bus known fromautomotive technology, in which during certain data cyclesprotocol-specific data may be read out by a master from field devicesconnected via users, and during each subsequent data cycle may bewritten into the field devices at approximately 19.2 to 38 kBd.

In one method according to the invention by way of example, processinput and process output data are also transferred, for example, at afixed interval, each shifted by the time of one-half bus cycle. Thus, atransfer protocol for a cyclical transfer of process input and processoutput data, for example, frequently uses two different data exchangeservices, also referred to below as data exchange mode. In this case, abus cycle therefore includes a data cycle based on a PD read service anda subsequent data cycle based on a PD write service.

For the transfer of process output data, for the PD write service amaster transmits to the users connected to the master basically all datafor the connected field devices, and then determines a cyclic redundancycheck (CRC), which it also transfers. The transfer system isadvantageously designed in such a way that all connected users also readall information transferred in this manner, and preferably likewise forma CRC, which they compare to the received CRC of the master, so that anerror message is generated in the event of an error, and selected usersor individual field devices, for example, are converted to a safe state.For transfer of the process input data, for a PD read service the masterfirst transmits, for example, a broadcast address, followed by afunction code. The other connected users then apply data from theirconnected field devices, i.e., in particular their process input data,bit for bit to the data line in respectively provided time slots. In onepreferred design, by tracking on the data line the users are in turnable to recognize all data and once again compute a CRC.

FIG. 2 shows a block diagram of a monitoring system having an outputmodule 201, and a monitoring module 203 which is in bidirectionalconnection with the output module 201. The monitoring system alsoincludes an output device 205 connected downstream from the outputmodule 201, and a feedthrough device 207 connected downstream from themonitoring module 203 and whose output is connected to the output device205. The output device 205 includes an output for outputting an outputsignal in response to a control signal generated by the output module201 on the basis of an input signal supplied by the monitoring module203. Beforehand, the output module 201 transmits the control signal tothe monitoring module 203 for checking, and the monitoring module checksthe control signal for deviation from an expected control signal. Ifthere is a deviation, which for example exceeds a predeterminedthreshold value, the monitoring module 203 instructs the feedthroughdevice 207, for example via a feedthrough signal, to prevent outputtingof the output signal. The feedthrough device 207 acts, for example,directly on the output device 205, and interrupts, for example, thepower supply or the control path or data path of the output device inorder to prevent outputting of the output signal.

Modules 201, 203, 205, and 207 do not necessarily have to be implementedin spatially separate designs. They may also be implemented on a printedcircuit board. Instead of the bus system, a separate connection, forexample over gaps, may be provided for communication.

FIG. 3 shows an output module having a bus coupling 301, amicrocontroller switching circuit 303, a feedthrough device 305, and anoutput device 307. The bus coupling 301 includes an input to which a LINbus, for example, may be coupled. The input is connected to a LIN busdriver 309 which has two terminals 313 and 315. Terminal 313 isconnected via an input resistor R₁ of feedthrough device 305 to a gateterminal of a transistor T₁ of feedthrough device 305. Transistor T₁also has a first terminal, for example an emitter terminal, which isconnected to ground. A second terminal of transistor T₁, for example acollector terminal, is connected to a clock input A of a flip-flop 317,for example a monoflop. The second output of transistor T₁ is connectedto ground via a capacitor C₁, and to a supply potential via a resistorR₂.

Flip-flop 317 also includes a data input MR which is connected to asecond terminal, for example a collector terminal, of a secondtransistor T₂. On the other hand, a first terminal of transistor T₂, forexample an emitter terminal, is connected to ground. Data input MR mayalso be connected to a supply potential via a resistor R₃. A gateterminal of transistor T₂ is connected via a resistor R₄ to a terminalof the microcontroller 319 of microcontroller switching circuit 303. Anoutput Q of flip-flop 317 is connected via a resistor R₅ to a gateterminal of a third transistor T₃, whose first terminal, for example anemitter terminal, may be connected to a supply potential, and whosesecond terminal is connected via a resistor R₆ to a further terminal ofthe microcontroller 319. Resistor R₆ is connected to ground via aresistor R₇. At the same time, the second terminal of third transistorT₃ forms an output 323 of feedthrough device 305, which is connected,for example, to a power supply input of a relay 325 of output device307. The relay 325 includes a further path 327, which may be a data pathor control path, for example. The relay 325 is also coupled to a switch329. The switch 329 bridges two contacts as a function of a relay state,it being possible to output an output signal only in the closed state ofthe switch.

The data path 327 of the relay 325 is connected to a second terminal ofa transistor T₄, for example to a collector terminal. Transistor T₄ alsoincludes a second terminal, for example an emitter terminal, which isconnected to ground. An output 329 of the microcontroller 319 isconnected to a gate of transistor T₄. A further terminal of themicrocontroller 319 is also connected via a resistor R₈ to the secondterminal of transistor T₄.

The terminal 313 of bus driver 309 is also connected to an inputterminal 331 of the microcontroller 319. On the other hand, an outputterminal 333 of the microcontroller is connected to terminal 315. Themicrocontroller 319 receives data, for example an input signal, viainput terminal 331 from a monitoring module (not illustrated in FIG. 3),and on this basis generates a control signal which is delivered to relay325 via data path 327, for example. Beforehand, however, themicrocontroller 319 transmits the control signal to the monitoringmodule (not illustrated) via output terminal 333. The monitoring modulechecks whether the control signal corresponds to an expected controlsignal, for example on the basis of the input signal, i.e., the inputdata. If there is a deviation, which for example exceeds a thresholdvalue, the monitoring module transmits a feedthrough signal via terminal313 of driver 309 to feedthrough device 305, on the basis of which, forexample, the power supply to the relay 325 is interrupted, therebypreventing or halting the closing of switch 329. The outputting of theoutput signal is prevented in this manner.

The structure of the output module illustrated in FIG. 3 is based on adual-channel design. The first channel is formed by the microcontrollercircuit 303, while the feedthrough device 305 may be understood to be asecond channel, for example as an auxiliary channel. Channel 2, i.e.,feedthrough device 305, of the output module is not necessarily designedas a complete channel. The actual safety function is implemented, forexample, by the microcontroller 319 of microcontroller circuit 303. Themicrocontroller 319 may also be provided to realize the functionalimplementation of the bus protocol, wherein the physical bus couplingmay be established, for example, by the LIN bus driver 309 illustratedin FIG. 3.

After a protocol frame, for example, has been correctly received and allprocess data channels (PDC) have passed the plausibility checks, theprocessing of the safety function using the received data may begin. Viatransistor T₄ the microcontroller 329 controls the output device 307(output stage), which by way of example may have a relay. Resistor R₈ isused for monitoring the output stage 307, and by means of themicrocontroller 319 a monitoring result is posted in the next data cycleas a safety PDC. Based on the known safety functions and the input dataor input signals, the monitoring module (not illustrated in FIG. 3) isable to check the microcontroller 319 and its output. If a deviation isidentified, the monitoring module switches the system to a safe state,using the superimposed safety mechanism which is implemented by thefeedthrough device 305. The power supply to the output stage, forexample, may be switched off in this manner.

As an alternative to the illustrated relay, for example an analogousoutput stage may be used which is designed, for example, for a rangebetween 4 mA and 20 mA, the output current of the output stage in theevent of an error being less than 3 mA.

FIG. 4 shows an example of bus timing, using a transfer cycle 400 whichmay be divided into three phases. User data are transferred in the firstphase 401. The second phase 403 is used for data checking on the frameand PDC levels. For example, if none of the users finds an error, thedata signal of the LIN bus remains in the high-level state, whichcorresponds to “high.” If an error is detected, the applicable usersends an error code as illustrated with reference to data section 405.If no error has been detected in the entire transfer and processingcycle, including checking of the output states of the safety outputs,the monitoring module, i.e., the master, generates an enabling signalfor the outputs which is evaluated by the monoflop 317 from FIG. 3. Thedata checking takes place in section 403, for example. The outputenabling is indicated by section 409.

The monoflop 317 (IC 1) is retriggerable with a monoflop trigger time of30 ms. For example, the monoflop may be triggered only when the bussignal, for at least 700 μs, for example, assumes a low-level state,referred to as “low,” represented by the output enabling 409. However,this is not ensured during a data transfer having a baud rate of atleast 14,400 baud, since at least one logical “1” is forced as a resultof the transfer of one stop at the end of each character. The quiescentlevel of the LIN bus is likewise a logical “1,” so that a longer periodof bus inactivity does not result in triggering.

As a result of the “1” level on the LIN bus, transistor T₁ illustratedin FIG. 3 is switched through, which prevents or halts charging ofcapacitor C₁, so that a negative flank cannot appear at the input ofmonoflop 317. Only a logical “low” blocks the transistor, and causescapacitor C₁ to be charged by resistor R₂. After approximately 700 μs,capacitor C₁ is charged to above the “high” switching level of monoflop317, for example, so that a change of the LIN bus signal from “low” to“high” generates a triggering flank at monoflop 317. Output/Q is thenswitched to “low,” resulting in enabling of the output stage 307. Themicrocontroller is able to check switching transistor T₄ via resistorR₈. The voltage divider, including resistors R₆ and R₇, is used to checkthe feedthrough device 305, which is implemented as an auxiliarychannel, for example. For the checking it may be advantageous to resetthe monoflop 317 via transistor T₂, resulting in blockage of transistorT₃ and therefore shutting off output stage 307. The power supply torelay 325, for example, may be disconnected in this manner.

FIG. 5 shows a block diagram of an output module having amicrocontroller circuit 501 and a feedthrough device 503. Themicrocontroller circuit 501 includes a microcontroller 505 having anadditional feedthrough device 507. An input 509 of the output module isconnected to a flip-flop 511, for example a monoflop, of the feedthroughdevice 503. The flip-flop 511 also has an output, which may be coupled,for example, to an output device (not illustrated in FIG. 5).

Input 509 is also connected to a receiving input 513 of themicrocontroller 505 and to an input 515 of the additional feedthroughdevice 507. The feedthrough device includes an input component 517 whichis connected to an input of a flip-flop 519, for example a monoflop. Anoutput of the flip-flop 519 is connected to a terminal of an outputdriver 521, for example an operational amplifier, of the additionalfeedthrough device 507. An output of the output driver 521 is connectedto a gate of a transistor T₄, whose first terminal, for example acollector terminal, forms an output 523 of the microcontroller circuit501. On the other hand, a second terminal of transistor T₄, for examplea collector terminal, is connected to ground. The second terminal oftransistor T₄ is connected via a resistor R₈ to an input element 525,for example an input driver, of the microcontroller 505 by means of afeedback loop. An output of the input element 525 is connected to adiagnostic element 527 which is connected to flip-flop 511, asillustrated in FIG. 5. An output of the diagnostic element 527 isconnected to a PDC producer 529, whose output is connected to a buselement 531. The bus element 531 is also coupled to a universalasynchronous receiver/transmitter (UART) 533. As illustrated in FIG. 5,the receiving input 513 is connected to an input of the UART 533. TheUART 533 also has an output 535, which forms an output of themicrocontroller circuit 501. The bus protocol element 531 is coupled toa PDC consumer 537, whose output is connected to a safety function block538. The safety function block 538 has an output which is connected toan input of the output element 521.

The additional feedthrough device 507 may be implemented as software,for example, while the feedthrough device 503 may be implemented ashardware. Further components implemented as hardware may be UART element533 as well as input elements 517, 525 and output element 521. On theother hand, elements 527, 529, 531, 537, 519, and 538 may be implementedas software.

The main signal path of the safety function leads from UART block 533through a protocol stack, which is implemented in the bus protocolelement 531. Data exchange occurs between the bus protocol and theprocessing unit via two buffers 529 and 537, for example, whereby theinput data of the safety function are stored in the consumer PDC buffer537. Accordingly, the output data and status data are transferred by theproducer buffer 529 to a monitoring module (not illustrated in FIG. 5).

As illustrated in FIG. 5, the output driver 521 of microcontroller 505has two inputs, whereby the safety function uses only the data input orcontrol input, for example. If the output driver 521 is released by thesecond input, this state is visible for transistor T₄. Monoflop 519implements, for example, the same function as the feedthrough device503, which may also be referred to as a second channel or an auxiliarychannel, the difference being that it may be implemented almostcompletely as software, thus providing diversity.

As an alternative to the exemplary embodiment illustrated in FIG. 5, thefeedthrough device 503 as well as its monoflop function may beimplemented by a software function. This is particularly advantageouswhen a second microcontroller is used for more complex output modules.

1. A monitoring system, having: an output module for generating acontrol signal in response to an input signal; a monitoring module forgenerating the input signal for the output module; an output device foroutputting an output signal in response to the control signal; and afeedthrough device for preventing the outputting of the output signal;wherein the monitoring module is designed to instruct the feedthroughdevice to prevent the outputting of the output signal when there is adeviation between the control signal and an expected control signal thatis expected on the basis of the input signal.
 2. The monitoring systemaccording to claim 1, wherein the output module is designed to transmitthe control signal to the monitoring module, wherein the monitoringmodule is designed to receive the control signal, and to transmit afeedthrough signal to the feedthrough device when there is a deviation.3. The monitoring system according to claim 1, wherein the monitoringmodule and the output module or the feedthrough device are designed tocommunicate via a communication network.
 4. The monitoring systemaccording to claim 1, wherein the monitoring module is designed togenerate an enabling signal and to transmit the enabling signal to theoutput module when the control signal corresponds to the expectedcontrol signal, and wherein the enabling signal indicates the enablingof the output signal.
 5. The monitoring system according to claim 1,wherein the feedthrough device is situated in the monitoring module orin the output module.
 6. The monitoring system according to claim 1,wherein the feedthrough device is situated in the output module, whereinthe monitoring module is designed to transmit a feedthrough signal tothe feedthrough device to prevent the outputting of the output signal,and wherein the feedthrough device is designed to prevent the outputtingof the output signal in response to the feedthrough signal.
 7. Themonitoring system according to claim 1, wherein the monitoring module isdesigned to compare the control signal to the expected control signal inorder to test the control signal for the presence of the deviation. 8.The monitoring system according to claim 1, wherein the output devicehas a relay or an analogous output stage having a data path forreceiving the control signal, and a power supply path for supplying theoutput device with electrical power, and wherein the feedthrough deviceis designed to act to prevent the outputting of the output signal on thedata path or on the power supply path.
 9. The monitoring systemaccording to claim 1, wherein the feedthrough device has a monostableflip-flop, wherein the output device has a data path and a power supplypath, and an output of the monostable flip-flop is linked to the datapath or to the power supply path in order to act on the data path or thepower supply path.
 10. The monitoring system according to claim 1,wherein the feedthrough device is designed to convert the output deviceto a blocking mode in response to a feedthrough signal.
 11. Themonitoring system according to claim 1, wherein the output module has amicrocontroller that is provided to receive the input signal and togenerate the control signal.
 12. The monitoring system according toclaim 1, wherein the monitoring module and the output module areseparate modules.
 13. A method for monitoring an output module using amonitoring module, having: generating, by the output module, a controlsignal in response to an input signal; generating, by the monitoringmodule, the input signal for the output module; and outputting an outputsignal in response to the control signal, wherein the outputting of theoutput signal is prevented by a feedthrough device when there is adeviation between the control signal and an expected control signal thatis expected on the basis of the input signal.
 14. The monitoring systemaccording to claim 1, wherein the monitoring module and the outputmodule or the feedthrough device are designed to communicate via acommunication bus.
 15. The monitoring system according to claim 9,wherein the output of the monostable flip-flop is linked to the datapath or to the power supply path via an output transistor.
 16. Themonitoring system according to claim 9, wherein the output of themonostable flip-flop is linked to the data path or to the power supplypath in order to act on the data path or the power supply path inresponse to a feedthrough signal when applied at an input of themonostable flip-flop.
 17. The monitoring system according to claim 1,wherein the feedthrough device is designed to convert the output deviceto a blocking mode in response to a feedthrough signal so as to switchoff the output device.
 18. The monitoring system according to claim 1,wherein the feedthrough device is designed to convert the output deviceto a blocking mode in response to a feedthrough signal so as tointerrupt the output thereof.
 19. The monitoring system according toclaim 1, wherein the feedthrough device is designed to convert theoutput device to a blocking mode in response to a feedthrough signal soas to interrupt a data path thereof.
 20. The monitoring system accordingto claim 1, wherein the feedthrough device is designed to convert theoutput device to a blocking mode in response to a feedthrough signal soas to disconnect a power supply thereof.